Slashdot Mirror
Know Your Enemy, 2nd Edition
KYE was not written by a single author, rather by The Honeynet Project. They are a group of 30 individuals with complementary technical and legal skills. This diverse authorship creates a book with an abundance of valuable information.
The book details setting up a honeypot (a single host designed to gain the attention of network intruders) and a honeynet (a network designed to be penetrated to understand the motives of the attackers). If you can get an intruder to attack the bogus network, the double benefit is that 1) the attacker can do no damage to production data, while 2) his activities are being monitored, and with analysis can be understood.
The book's premise is that it is not simply enough to know you have enemies; you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives. Armed with such information, a company can ensure that they are best using their resources to defend and defeat their enemy.
This is the second edition of KYE and honeynets have changed significantly since the first edition came out. With that, the first five chapters of the book goes into what exactly a honeynet is, and then explains the differences between first and second-generation honeynets. The main difference between the editions is that the first edition focused more on honeypots, or individual hosts. The second edition expands that to networks meant to be broken into, namely honeynets.
The opening chapters also go into details about the specific value of honeynets. For those that entertain the idea that their honeynet is going to enable them to catch the next Kevin Mitnick, they will be clearly disappointed. The main benefit of honeypots and honeynets is information. Information is power, especially in computer security. For most hackers, their greatest fear is not necessarily getting caught, but rather having someone watch and gather information on them without their knowledge. And that is exactly what a honeynet attempts to do.
Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet.
Part 2 (chapters 9-15) goes into the important area of analysis. Collecting data, after all, is only the first part. Analyzing it and making sense of it all is the difference between an experienced detective and a Keystone Cop. The analogy is real in that a honeynet is a potential crime scene.
Data analysis and forensics are crucial in that it is the only way to interpret the various types of data involved. The key for those involved is turnout and extracting different types of data and turning that data into valuable information. Effective forensics enables digital investigators to know the difference between an innocuous attack and a malicious one.
While Part 2 is the most technical section of the book, Part 3 (chapters 16-21) attempts to explain the sociological reasons why whitehats and blackhats do what they do. Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter, knowing a profile of your adversary is crucial in containing the damage he can do. Identifying and understanding those attacking your system is just as important as the technical and analytical skills you will use in exposing them.
Know Your Enemy is a unique book in that it details how not to simply install and configure security devices, but how to use those devices to ensure a much greater level of security. It shows how you can take an offensive approach to computer security and to understand the mindset of the attacker. That is something not easily found in other books.
The CD-ROM that comes with the book includes 10 of the book's 21 chapters, a number of informative white papers, all of the open source tools that the authors use, and a video about honeynets.
Those who enjoyed Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage by Clifford Stoll will similarly find KYE entertaining and invaluable.
The companion web site for the book is honeynet.org/book. In and of itself, it is a great website, and complements a great book.
Overall, KYE is a most informative book on a fascinating subject. Unlike many computer security books, KYE is light on theory and screen dumps, but heavy on valuable and useful information on security hosts and networks from adversaries. If you are looking for a proactive way to secure your corporate network, Know Your Enemy is the perfect place to start.
You can purchase Know Your Enemy : Learning about Security Threats (2nd Edition) from bn.com. Slashdot welcomes readers' book reviews. To see your own review here, carefully read the book review guidelines, then visit the submission page.
boring...
FP
Home come all these slashdot liberal asshats want to protect the first amendment but cannot stand the second amendment?
My dating guide for single guys.
YOU FAIL IT
We will be getting arrested on code profiling!
Programmer: I swear I didn't do it.
FBI: Well, you have a different style of formatting your code, we know it was you.
Lindon, Utah - GNAA (Gay Nigger Association of America) this afternoon announced that their previous kidnapping of the Olsen twins is behind the eating disorder afflicting Mary Kate Olsen today.
In a surprise announcement this afternoon, GNAA representative godspeed revealed that GNAA has known about Mary Kate's disorder for some time now, and that it was the ordeal she went through earlier that triggered it. "That skinny white girl," godspeed began. "Ever since we kidnapped her and her cracker sister, she couldn't stop eating nigger dick. After we originally injected the holy gay nigger seed into her, she just went crazy. Begged us for more all the time, wouldn't shut about about "Just needing a little more [cock.]" Shit, nigga, we GAY. Sure, we tapped that white ass to increase our numbers, but just cuz she wants it? HELL no!"
As reliable sources have reported, Mary Kate went on a binge after being released from GNAA custody. She had a group of niggers on call at all times, so she could eat a little black cock while in between takes one the set of her hit movie New York Minute. She was seen being rebuffed by R. Kelly, who in a statement to GNAA member l0de said "That bitch is WAY too old." Twin sister Ashley Olsen is reported as saying "I knew she had a problem, wanting to suck some nigger cock all the time, but whenever I tried to talk to her about it, she called me a "cracker whore" and stormed off. I mean, seriously, SHE'S the one sucking all that nigger cock, who is SHE to be calling ME a whore?"
Mary Kate is in a rehab facility in an undisclosed location, where well-qualified staff such as Ellen DeGeneres will help treat this young girl. Whether she will be able to beat this addiction to nigger cock, or relapse while seeing all those black bucks at NYU remains to be seen.
About GNAA:
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the first organization which
gathers GAY NIGGERS from all over America and abroad for one common goal - being GAY NIGGERS.
Are you GAY?
Are you a NIGGER?
Are you a GAY NIGGER?
If you answered "Yes" to all of the above questions, then GNAA (GAY NIGGER ASSOCIATION OF AMERICA) might be exactly what you've been looking for!
Join GNAA (GAY NIGGER ASSOCIATION OF AMERICA) today, and enjoy all the benefits of being a full-time GNAA member.
GNAA (GAY NIGGER ASSOCIATION OF AMERICA) is the fastest-growing GAY NIGGER community with THOUSANDS of members all over United States of America. You, too, can be a part of GNAA if you join today!
Why not? It's quick and easy - only 3 simple steps!
First, you have to obtain a copy of GAY NIGGERS FROM OUTER SPACE THE MOVIE and watch it. (You can download the movie (~130mb) using BitTorrent, by clicking here.
Second, you need to succeed in posting a GNAA "first post" on slashdot.org, a popular "news for trolls" website
Third, you need to join the official GNAA irc channel #GNAA on irc.gnaa.us, and apply for membership.
Talk to one of the ops or any of the other members in the channel to sign up today!
If you are having trouble locating #GNAA, the official GAY NIGGER ASSOCIATION OF AMERICA irc channel, you might be on a wrong irc network. The correct network is Niggernet, and you can connect to irc.gnaa.us as our official server. If you do not have an IRC client handy, you are free to use the GNAA Java IRC client by clicking here.
Lameness filter encountered. Post aborted!
Reason: Please use fewer 'junk' characters.
If you have mod points and would like to support GNAA, please moderate this post up.
(C) GNAA 2004
ger
I remember the first KYE, and I remember the most annoying thing was the last section was a huge dump of IRC logs from a bunch of script kiddies. While it wasn't a bad thing to get to know the enemy, I don't think it warrants the whole last 1/3 of the book being dedicated to it, maybe as an appendix. From the authors description it sounds more like this book is geared towards the wonders of the Honeynet.
Has anyone ever made a door game that simulates hacking into a network? It'd make for an entertaining addition to a BBS.
The other alternative could be to set up a honeynet behind a firewall, either using VMWare or old hardware, and give users access to (some) of the systems.
tasks(723) drafts(105) languages(484) examples(29106)
While "Chapter 8 (written by an attorney from the U.S. Dept. of Justice) concludes part one of the book with a look at the legal issues involved with honeynets. There are legal issues that one needs to take into consideration before rolling out a honeynet. Failing to take their legal issues to heart can change a honeynet from being an invaluable forensics tool into an expensive legal liability. Those in the corporate arena are well served to work with their legal counsel before deploying a honeynet." is legally a teriffic summary, could someone (legally) elaborate on the illegalities of honeypots and nets?
If you don't know what AltaVista is (was), get off my lawn.
So... my #1 suspected enemy is Winnie the Pooh!!!
Honeynet (noun): 1. Used to replace another noun indicating a network resource that has been Slashdotted in order to indicate slowness. Syn. Molassesnet, Ketchupnet. Ant. Local Area Network. Usage: "Fsking Slashdot! This place is a honeynet now."
Is it worth / recommended for the owner the first edition to buy/read the 2nd edition?
How does it compare to the "additional material" originally presented in Honeypots: Tracking Hackers by Lance Spitzner (member of Honeynet Project) which was to address the growing and changing nature of honeypots and the early evolution of honeynets?
but I wouldn't use it as a textbook on "knowing the enemy" in a modern network environment. Your comparison worries me enough to warrant me not buying the book you're reviewing..
I don't read your sig, why do you read mine?
I'm pretty sure that in this day and age law enforcement is the enemy.
Thank you for the enlightening comparison of a subject in which I am sort-of-maybe competent (computer security), to one in which I am functionally impotent (field forensics).
Aww, from the title I was hoping it was a book about Microsoft (or Apple), or the US government, or some political party, or religious extremists, or luddite extremists, or something. Frankly, crackers are the least scary of the people I think of as 'enemies'.
and sell it
ps
ppprrrr
Reminds me of what happened to Gene Hackman's character in The Conversation . I personally think that it's more of a challenge / territorial thing- that once hacked, you become motivated to try again without getting caught. Kind of like a Respawn... I agree with the article that the primary purpose is not to 'catch' the hamsters, but to learn their patterns as they race around in their safe little wheels.
As far as organizing the system, why not set it up like George Carlin's old joke - When they put you on hold, they play music. Why not just connect all the people on hold together, and let them talk to each other ?
like this one:
e 12.bluenotch.netu enotch.net
node10.bluenotch.net
node11.bluenotch.net
nod
node13.bluenotch.net
node14.bl
...but if I'm going to kill people, I don't stick to the same method each time; I choose whatever method is the simplest, safest and least likely to leave anything around for someone to catch me.
For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.
Perhaps, if you happen to be a crime scene investigator and are used to this. For me, both of the above items would fit quite nicely into the "Jesus Christ on a Popsicle Stick, I Just Found a Dead Body, HolyShitHolyShitHolyShit!" category.
In Soviet Russia, Chuck Norris will still kick your ass.
> (Use "ECODE" instead of "PRE" or "CODE".) URLs http://example.com/ will auto-link a URL Important Stuff # Please try to keep posts on topic. # Try to reply to other people's comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) # If you want replies to your comments sent to you, consider logging in or creating an account. Problems regarding accounts or comment posting should be sent to CowboyNeal.
For example, a daylight murder with a single bullet to the head is quite different from finding a decapitated and mutilated body in a ditch.
Yikes - I hope you don't write the church newsletter.
1) Set up soda machine in office.
2) Track Mountain Dew purchases.
3) Use data to identify potential "troublemakers".
> Just as Clarice Starling in The Silence of the Lambs was able to profile
One does not refer to fictious plot-lines / stories when discussing real-world topics.
I looked at the PDF of Chapter 8, and it seemed a little vague. It stated that intruders do not have a reasonable expectation of privacy and owners have a right to monitor their networks, but that there could still be some issues, especially on government-owned networks. They recommended a banner saying that by logging on, the user consented to monitoring. It was still a little confusing; I would have liked to see an example of a court case that found in favor of the intruder.
The authors also point out that in countries with weak economies, e.g. Romania, hackers are often interested in financial gain. Not too surprising. If the computer-related job market keeps getting worse, I wonder if there will be an increase in hacking for money.
The link provided (http://www.honeynet.org/book/) gives two chapters of the book in PDF form. They are both well worth the read. Especially chapter 16 on profiling. WARNING: Like all works of sociology, it will make you realize that we are just monkeys.
Still haven't used the links? Here's an excerpt from ch.16 that I find beautiful. Subject is an analysis of the Jargon File, believe it or not...
One of the more surprising (and prominent) thematic categories to arise from the analysis is the magic/religion category. While this was one of the a priori thematic categories that we anticipated would emerge from the analysis, it is one that often surprises people who are not familiar with the hacker community. The most common comment that arises when this result is discussed is "You mean hackers are religious??? You've got to be kidding."
The answer to this quandary can be found in the nature of the technology that lies at the heart of this counterculture. Many members of the hacker community deal with complex operating systems, program applications, and network architectures where it is often not possible to answer with certainty the question "If I perform action A, will the operating system/program/network behave precisely with result B?" That is, because of the complexity of modern operating systems, programs, and network topologies, there is a disconnect between the classical forces of cause and effect. Whenever you have a situation where you cannot logically reconstruct the linkage between cause and effect, you in effect have an instance of "magic." (emphasis mine)
Literalism isn't a form of humor, it's you being irritating.
I think your example is probably close to what the book says (not having seen the book.) It's also a rather improbable scenario and seems to imply that if your honeypot/honeynet is vulnerable you bear some sort of liability that you wouldn't if it was just your desktop system that was abused in the same way. I don't understand that, and I also don't think such liability has ever been asserted in any case nor found to have existed by any court. I'm guessing the lawyer is Richard Salgado, who's issued this warning before. Notice that the nature of the warning he gives is that someone succeeds in committing abuse through your honeypot, which is not the goal when you set up the honeypot and is not normally what happens when you set up a honeypot. I think Salgado tries far too hard to find a problem where none exists - but then he's the lawyer, I'm not. (come to think of it, though, that's just how lawyers are.)
I don't think the wiretap laws apply: you aren't tapping a wire, you're watching traffic deliberately sent to your system. Your system, let me repeat.
I don't think entrapment applies (not even for law enforcement) the honeypot/honeynet is simply created, not advertised, and the felons seek it out on their own. That is not suggesting to someone that they commit a crime and then arresting them when they do. It's less a crime than for a shapely policewoman to wear a revealing red dress in a bar and then arrest a john who propositions her. If LEAs are worried about entrapment let them not set up honeypots. The book is for non-LEA people anyway.
P.S. I think that, many years ago, I saw that policewoman. Seriously.
I wouldn't be so sensitive about this if I didn't occasionally see "Foreward" and "Forward" in actual books. Really! I don't know about you, but when I am contradicted by real, bound paper books, it sometimes makes me momentarily doubt myself. (Nothing I read online ever has this effect on me). What's next--admitting I could be wrong ? Hah!
Happily, my infallibility is not threatened by this book--I downloaded the "Foreward" and was relieved to see that it's only a harmless "Foreword" after all.
Great men are almost always bad men--Lord Acton's Corollary
These fools did a detailed analysis of the jargon file.
The jargon file explicitly states that it's about
"perl hackers" and such as opposed to "l33t h4xors" and such.
It would prefer you to call the latter "crackers" and not
taint the word "hacker" with their association at all. At the
very most, the cracker culture is a subculture of the
hacker culture that the jargon file describes. This is
a pretty obvious distinction that someone writing a book on the
subject really shouldn't have missed.
It. Its miision is sales and so on, Won't be shouting ULTIMATELY, WE th3 mundane chores bought the farm.... steadily fucking Rival distribution,
Ben's quite infamous around eWEEK.
He's the guy who wrote a provocative editorial claiming Big Brother cannot happen in the US.
We need less of Ben Rothke.
Just as Clarice Starling in The Silence of the Lambs was able to profile Hannibal Lecter... Hey, hold up there... Agent Starling wasn't able to do any such thing. It was Dr. Lecter who had the brilliant profiling ability, and Starling was ordered to take advantage of it. I mention that not to reaffirm a gratuitous point of pop culture, but because the author's value as a book reviewer is defined by his heedlessness. It's one thing to remember wrongly or to misinterpret, but that wasn't even wrong. It was just.. arbitrary; an unconsidered, vaguely appropriate reference to fill the blank space between related yet unconnected sentences. I finished the piece with the feeling I'd get a more substantial and accurate sense of the book's content by reading the dust jacket.
All very interesting, but who outside of law enforcement and The Honeynet Project and maybe academia is actually ever going to produce a honeynet? It's a lot of money for no real purpose. Good luck selling this book!
"Modus operandi" mean "means of operation", not motives. Understanding the means by which an attacker compromised a system is useful information but tells you next to nothing about why the attacker did it. Of course, a honeynet can tell you something about motives, perhaps.
Posters recognized by their sig,
you need to understanding what exactly it is they are doing, how they are doing it, the tools they are employing, and their objectives.
Many hackers will buy this book. They will analyse the structure of the honeypot and honey net used to detect them. The will alter their strategy so as to counter this. They will use new tools so as to minimize detection and make it harder for analysts to profile. Though their objectives will not change there methods will, and many will mask their behaviour so as not to appear to have the objectives you think they have. Finally, this book is in the public domain, and many analysts will generally stick with the guidelines of books like these, whereas the hackers, generally being more creative, will not stick to guidelines. The best ones will always be one step ahead of this. Many can even now detect when they are penetrating a honey net or honey pot and will no doubt continue to do so.